In an attack, phishing campaigns are launched through accurate LinkedIn accounts. In this case, phishing links to members of the business network are also sent out to third parties via e-mail or private messages, as the security company Malwarebytes now reports in a blog.
What distinguishes this campaign from other Malwarebytes is the fact that even long-standing and trustworthy accounts have been hacked. Premium accounts should also be included.
Through the network, members can contact other LinkedIn users, even if they do not have direct contact, using the InMail feature.
The malicious message contains a reference to a shared document and a short link that points to a phishing site for Gmail and other e-mail providers. The victims should register there.
The deceived, the usernames for Gmail, Yahoo, and AOL, passed passwords and telephone number, do not immediately see that they have become victims of a phishing attack. Afterwards, the victim is given another document, apparently from Wells Fargo, which is hosted on Google Docs.
Potential victims who are contacted via InMail are also directed to the document. InMail is a trustworthy form of communication, which offers LinkedIn to only a few customers.
Users can only send a certain number of messages at a cost. Therefore, this channel was rather uninteresting for hackers because of the cost . In the current case, however, the hackers do not pay themselves, but they use the credits of the compromised accounts.
By LinkedIn, it is said that while the transmission of the mail is secure, but the content of the messages can be uncertain. In this attack, the messages are also sent with a “security footer”, which is supposed to prevent phishing e-mails by displaying position or employer in the footer. Users can also change this information.
In both cases, however, the potential victims will receive this message:
“I have just shared a document with GoogleDoc Drive,
View shared document http://ow.ly/ […] ”
Clicking on the link opens the following pages and documents:
ow [.] ly / qmxf30eWLyN
dgocs [.] gdk.mx/new/index.php
dgocs [.] gdk.mx/new/index.php?i=1
cakrabuanacsbali [.] com / wp-rxz / index.php
How many accounts were hacked or whether new URL abbreviations are used, is not known so far, it is called by Malwarebytes. Therefore, the scope of the campaign is currently poor.